Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatibility with strict CSPs #449

Open
arnemolland opened this issue Jun 13, 2024 · 12 comments
Open

Incompatibility with strict CSPs #449

arnemolland opened this issue Jun 13, 2024 · 12 comments

Comments

@arnemolland
Copy link

arnemolland commented Jun 13, 2024
edited
Loading

Describe the feature / bug 📝:

Sonner does not work with strict CSPs as there's inline styles.

Steps to reproduce the bug 🔁:

  1. Use any CSP with the style-src directive set to anything other than unsafe-inline.

I'm looking into some fixes, but in essence all styles have to be defined in stylesheets for other CSPs to work. If it's impractical to apply a fix, there's always the fork and modify path but having support baked in would be nice.
@arnemolland arnemolland changed the title Issues with strict CSP Incompatibility with strict CSPs Jun 13, 2024
@arnemolland
Copy link
Author

arnemolland commented Jun 13, 2024
edited
Loading

Worth mentioning if someone else stumbles across this; I'm currently (manually) creating hashes of the computed inline styles and using unsafe-hashes to allow them. Without any modifications, these are the hashes needed to allow the inline styles from sonner:

  • 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
  • qixoDh78J8vISHKC3rLI7qSXmTShr8mhsUgjJL7W7aU=
  • 3gJFr3n77fnX5qwQpGju/zCOsoHW5RMqQd5XOb9WFcA=

Which can be used with the style-src directive like this:

style-src 'unsafe-hashes' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-qixoDh78J8vISHKC3rLI7qSXmTShr8mhsUgjJL7W7aU=' 'sha256-3gJFr3n77fnX5qwQpGju/zCOsoHW5RMqQd5XOb9WFcA=';

@BaDo2001
Copy link

+1

2 similar comments
@louis-foucart
Copy link

+1

@WoetDev
Copy link

WoetDev commented Jul 30, 2024

+1

@WoetDev WoetDev mentioned this issue Jul 30, 2024
Open
2 tasks
@AkshayCloudAnalogy
Copy link

+1

3 similar comments
@willrp
Copy link

willrp commented Oct 28, 2024

+1

@Pruxis
Copy link

Pruxis commented Jan 27, 2025

+1

@gregorjohannson
Copy link

+1

@emilkowalski
Copy link
Owner

The solution here would be moving into a stylesheet instead of injecting the styles into the head, am I understanding it correctly?

@hugomrdias
Copy link

yes, dont bundle css you are already publishing the style.css file we can just import it the way makes more sense on our side.

@pleunv
Copy link

pleunv commented Feb 17, 2025
edited
Loading

Either that so CSS bundling becomes a user concern, allowing sonner to piggyback off i.e. Vite's nonce support which would circumvent the issue, or by providing a similar nonce configuration inside of sonner itself. Personally I'd prefer the former so that all the nonce configuration can be centralized in the bundler.

@huozhi
Copy link
Contributor

huozhi commented Feb 22, 2025

How are you using strict CSP for other library right now? Can you provide more about your setup? (framework, how nonce is passed)

If we need to provide a unique nonce value per request, there needs to be a way pass the nonce from server to the library. vite can control the website rendering and they has the built-in contract to read the csp from meta[property="csp-nonce"] which not every website with CSP rule will have, also it's kinda leaking your CSP rule to all the JS.

I'd love to learn more about your setup and to see what we can adjust here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests